Smart Nest thermostat easily turned into spying device

At this year’s edition of the Black Hat security conference, a group of researchers has shown how extremely easy is to hack into the smart thermostats manufactured by Nest.

When Google acquired home automation company Nest earlier this year, many voiced their privacy concerns regarding the increased scope of Google’s data mining via Nest’s smart thermostats and smoke detectors.

But the danger might be even more immediate, as a group of researchers have demonstrated at this year’s edition of the Black Hat security conference.

Independent researcher Daniel Buentello, and researechers Yier Jin and Grant Hernandez of the University of Central Florida, have discovered that the OS level security checks that should prevent the installation of malware on the device can be easily bypassed.

Amazingly enough, it only takes a USB flash drive with malicious software and some 15 seconds of physical access to the device to compromise it.

Nest has done a good job securing the device’s wireless communications, but its USB port is a definite way in: the researchers demonstrated that by holding down the device’s power button, which allowed them to override the security checks (firmware signing) and upload custom malicious firmware on the thermostat.

“With Internet access, the Nest could now become a beachhead for an external attacker,” they pointed out. “The Nest thermostat is aware of when you are home and when you are on vacation, meaning a compromise of the Nest would allow remote attackers to learn the schedule of users. Furthermore, saved data, including WiFi credentials, would now become available to attackers.”

What’s more, a thusly controlled thermostat can be made to connect to any other device connected to the Internet, and creating thermostat-based botnets then becomes a realistic option. The attackers can use them to send out spam, but could also work out when the inhabitants are usually at home and when not, and then monetize that information either by acting on it themselves or selling it to other miscreants.

And if you think that it’s difficult for attackers to gain access to your device, think again: good social engineering can convince you to allow strangers into your house. What’s more, you could buy an already infected device from a malicious reseller and you have no means to check for compromise.

“The more convenient or smart something is, the less secure it is,” concluded Buentello, and added that all manufacturers of “Internet of Things” devices should consider security paramount and work hard to achieve it now, before the use of these devices escalates.